US9245109B2 - Method and apparatus for detecting tampered application - Google Patents

Method and apparatus for detecting tampered application Download PDF

Info

Publication number
US9245109B2
US9245109B2 US13/767,294 US201313767294A US9245109B2 US 9245109 B2 US9245109 B2 US 9245109B2 US 201313767294 A US201313767294 A US 201313767294A US 9245109 B2 US9245109 B2 US 9245109B2
Authority
US
United States
Prior art keywords
execution code
application
execution
tampered
extracted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US13/767,294
Other versions
US20130227688A1 (en
Inventor
Bumhan KIM
Sunghoon YOO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Assigned to SAMSUNG ELECTRONICS CO., LTD. reassignment SAMSUNG ELECTRONICS CO., LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KIM, BUMHAN, YOO, SUNGHOON
Publication of US20130227688A1 publication Critical patent/US20130227688A1/en
Application granted granted Critical
Publication of US9245109B2 publication Critical patent/US9245109B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the present invention relates to a method and an apparatus for detecting a tampered application. More particularly, the present invention relates to a method for detecting a tampered application after installation of an application, and an apparatus thereof.
  • the application may be installed by a user or a device provider in a terminal such as a smart phone.
  • the installed application may be executed according to an execution command of a user or other environments after this.
  • FIG. 1 is a diagram illustrating a procedure of installing and executing an application by a terminal using an Android operating system according to the related art.
  • a MediaHub.apk 105 package is installed in step 140 .
  • a signature verification module 110 of the Android operating system verifies a signature of the MediaHub.apk 105 package.
  • the terminal stores an optimized execution code 115 extracted from a corresponding application package in step 150 .
  • the optimized executed code may be configured by an odex format.
  • a user 120 After configuring the optimized executed code by the odex format, a user 120 inputs an execution command with respect to a Media Hub application 125 in step 160 .
  • the execution command with respect to a Media Hub application 125 is transferred to a dalvik virtual machine 130 of Android in step 170 .
  • the dalvik virtual machine 130 of the Android loads an execution code 115 of an odex format to execute the Media Hub application 125 in step 180 .
  • the user may install an application and then execute the application.
  • DRM Digital Rights Management
  • an Android operating system performs a signature verification procedure.
  • the execution code 115 is tampered, there is a problem that detection of the tampered execution code or execution of the tampered execution code cannot be interrupted.
  • an aspect of the present invention is to provide an apparatus for detecting a tampered application capable of detecting a tampered execution code after an application is installed and suitably processing the tampered execution code, and a method thereof.
  • a method of detecting a tampered application includes acquiring a package of an application, extracting and installing a first execution code from the acquired package of the application, extracting a second execution code from the package of the application when an execution command of the application is received after the first execution code is installed, and performing a preset operation when the second execution code differs from the first execution code.
  • an apparatus for detecting a tampered application includes a memory for storing a package of an application, and a controller for extracting and installing a first execution code from the stored package of the application, for extracting a second execution code from the package of the application when an execution command of the application is received after the first execution code is installed, and for performing a preset operation when the second execution code differs from the first execution code.
  • FIG. 1 is a diagram illustrating a procedure of installing and executing an application by a terminal using an Android operating system according to the related art
  • FIG. 2 is a diagram illustrating a tampering attack pattern of an application according to the related art
  • FIG. 3 is a block diagram illustrating an apparatus for detecting a tampered application according to an exemplary embodiment of the present invention
  • FIG. 4 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention
  • FIG. 5 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to another exemplary embodiment of the present invention.
  • FIG. 6 is a flowchart illustrating a method of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention.
  • FIG. 2 is a diagram illustrating a tampering attack pattern of an application according to the related art.
  • a normal MediaHub.apk package 105 is installed in step 140 .
  • a signature verifying procedure 110 is performed.
  • the terminal extracts an optimized execution code 115 from the package 105 in step 150 .
  • an attacker 112 tampers with the installed execution code 115 in step 155 .
  • An original execution code 115 is converted into a tampered execution code 117 according to a tampering attack of the attacker 112 .
  • the user 120 executes a corresponding application in the media hub 125 in step 160 and a dalvik virtual machine 130 is executed in step 170 .
  • the dalvik virtual machine 130 does not detect that an execution code is tampered and loads and executes the tampered execution code 117 as is in step 180 .
  • a method capable of detecting or preventing an attack tampering an execution code after a package is installed is not known in the art.
  • FIG. 3 is a block diagram illustrating an apparatus 300 for detecting a tampered application according to an exemplary embodiment of the present invention.
  • the apparatus 300 for detecting a tampered application includes a communication unit 310 , an audio processor 320 , a display unit 330 , an input unit 340 , a memory 350 , and a controller 360 .
  • the communication unit 310 performs a transceiving function of corresponding data for wired communication or wireless communication of the apparatus 300 for detecting a tampered application.
  • the communication unit 310 may include an RF receiver for up-converting a frequency of a transmitted signal and amplifying the converted signal and an RF receiver for low-noise-amplifying a received signal and down-converting the amplified signal.
  • the communication unit 310 may receive data through a wireless channel and output the received data to the controller 360 , and transmit data outputted from the controller 360 through the wireless channel.
  • the communication unit 310 may transceive an application package file or data necessary for executing an application. If transceiving of image/voice or data is necessary, the communication unit 310 may be modified accordingly.
  • the audio processor 320 converts a digital audio signal into an analog audio signal through an audio CODEC and plays the analog audio signal through a speaker SPK.
  • the audio processor 320 converts an analog audio signal inputted from the microphone MIC into a digital audio signal through the audio CODEC.
  • the audio processor 320 may be configured by a CODEC.
  • the CODEC may be configured by a data CODEC processing packet data and an audio CODEC processing an audio signal such as a voice. If a separate processing of the audio is not necessary, the audio processor 320 may be omitted.
  • the display unit 330 visually provides a menu of the apparatus 300 for detecting a tampered application, input data, function setting information and various other information to the user.
  • the display unit 330 performs a function of outputting a booting screen, an idle screen, a menu screen, a call screen, and other application screens of the apparatus 300 for detecting a tampered application.
  • the display unit 330 may display an image received from the other image call party.
  • the display unit 330 may be configured by a Liquid Crystal Display (LCD), an Organic Light Emitting Diode (OLED), an Active Matrix Organic Light Emitting Diode (AMOLED), and the like.
  • LCD Liquid Crystal Display
  • OLED Organic Light Emitting Diode
  • AMOLED Active Matrix Organic Light Emitting Diode
  • the input unit 340 receives a control input of a user and transfers the received control input of the user to the controller 360 .
  • the input unit 340 may be implemented in the form of a touch sensor and/or a key pad.
  • the touch sensor detects a touch input of the user.
  • the touch sensor may be configured by a touch sensor of a capacitive overlay, a resistive overlay type, an infrared beam type, a pressure sensor, and the like.
  • various types of sensor devices capable of detecting contact or pressure of an object may be configured as a touch sensor of the present exemplary embodiment.
  • the touch sensor detects a touch input of the user and generates and transmits a detection signal to the controller 360 .
  • the detection signal includes coordinate data which indicates where the user inputted a touch.
  • the touch sensor When the user inputs a touch location moving operation, the touch sensor generates and transmits a detection signal including coordinate data of a touch location moving path.
  • a key pad receives a key operation of the user for controlling the apparatus 300 for detecting a tampered application, and generates and transfers an input signal to the controller 360 .
  • the key pad may include numeric keys and arrow keys, and may be provided as a predetermined function key on a side of the apparatus 300 for detecting a tampered application.
  • the input unit 340 may include only a touch sensor or only a key pad. When a separate control input is unnecessary, the input unit 340 may be omitted.
  • the memory 350 stores programs and data necessary for an operation of the portable terminal 100 .
  • the memory 350 may be divided into a program area and a data area.
  • the program area may store a program controlling an overall operation of the apparatus 300 for detecting a tampered application, an operating system OS for booting the apparatus 300 for detecting a tampered application, an application program necessary for playing multi-media contents, and an application program necessary for other option functions of the apparatus 300 for detecting a tampered application, for example, a camera function, a voice playback function, an image or moving image playback function and the like.
  • the data area is an area for storing data generated according to use of the apparatus 300 for detecting a tampered application, and may store images, moving images, phone-book, audio data, and the like.
  • the memory 350 may store a package file of an application and an optimized execution code.
  • the controller 360 controls an overall operation of respective constituent elements of the apparatus 300 for detecting a tampered application.
  • the controller 360 may extract an execution code from a package file of a corresponding application and compare the extracted execution code with an original execution code stored in the memory 350 .
  • the controller 360 may perform a suitable operation of blocking an execution of a corresponding application or recording or storing information indicating that the application is tampered. A detail description of the controller 360 will be given with reference to FIGS. 4 to 6 .
  • FIG. 4 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention.
  • a MediaHub.apk package 105 is installed in step 140 .
  • a signature verification module 110 of an Android operating system verifies a signature of the MediaHub.apk package 105 .
  • a terminal stores an optimized execution code 115 extracted from a corresponding application package in step 150 .
  • the optimized execution code may be configured by an odex format.
  • the attacker 112 tampers with the execution code 115 to generate a tampered execution code 117 in step 155 .
  • the user 120 After generating the tampered execution code 117 in step 115 , the user 120 inputs an execution command with respect to a Media Hub application 125 in step 160 .
  • the execution command with respect to a Media Hub application 125 is transferred to a dalvik virtual machine 130 of Android in step 170 .
  • the dalvik virtual machine 130 of Android loads an execution code 117 of an odex format to execute a Media Hub application 125 in step 180 .
  • a tampering detector 405 when an execution command of a Media Hub application 125 is inputted, a tampering detector 405 reads an original package file from the MediaHub.apk package 105 to verify a signature in step 410 . In this case, if the signature is invalid, since the package file 105 is invalid, an execution of the application may stop. When the signature is valid, the tampering detector 405 newly extracts an execution code 119 from the MediaHub.apk package 105 in step 420 . Next, the tampering detector 405 compares a newly generated execution code 119 with the tampered execution code 117 in step 430 . In this case, since the execution code is tampered, the tampering detector 450 may report, at step 440 , that an execution code of a corresponding application is tampered to an Android operating system.
  • the tampering detector 405 may prevent execution of the corresponding application or store information indicating that the corresponding application is tampered. The stored information may help to prove a cause of a problem of the terminal afterwards.
  • a lower function for executing a corresponding application may be restricted. For example, when the tampering detector 405 detects that a moving image playback application is tampered, a function of a CODEC module necessary for executing the application may be restricted. Through this, execution of a corresponding tampered application may be substantially prevented.
  • the tampering detector 405 when the newly extracted execution code is the same as an originally stored execution code, the tampering detector 405 needs not to perform a separate operation and the Media Hub application 125 may be performed without problem.
  • the user 120 may differ from or may be the attacker 112 . That is, because it is difficult for persons other than the user 120 to approach a corresponding terminal, the user 120 generally and intentionally tampers with an execution code of an application.
  • the apparatus 300 for detecting the tampered application detects tampering of an execution code of the application
  • the apparatus stops execution of the tampered execution code or limits a lower function, thereby preventing a problem with the terminal and preventing the user from executing an application by bypassing a restricting function regarding copyright and other restrictions.
  • the apparatus 300 for detecting a tampered application detects tampering of an execution code of an application and stores corresponding information
  • the stored information may help to prove a cause of a problem occurring in a terminal afterwards.
  • FIG. 5 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to another exemplary embodiment of the present invention.
  • a case illustrated in FIG. 4 is limited to the Android operating system but the exemplary embodiments of the present invention are applicable to a general case as illustrated in FIG. 5 .
  • a signed object (application) package 505 is installed in step 540 .
  • a signature verification module 510 of a system verifies a signature of a corresponding object package 505 .
  • the terminal stores an optimized execution code (object) 515 extracted from a corresponding application package in step 550 .
  • the attacker 512 tampers with the execution code 515 to generate a tampered execution code (object) 517 in step 555 .
  • the user 520 After generating the tampered execution code, the user 520 inputs an execution command of the installed application in step 560 .
  • the execution command of the application is transferred to an operating system 530 .
  • the operating system 530 loads the execution code 117 so as to execute a corresponding application in step 580 .
  • the tampering detector 405 reads an original package file (signed object) 505 of a corresponding application to verify a signature in step 590 .
  • the signature is invalid, since the package file 505 is also invalid, an execution of the application may stop.
  • the tampering detector 405 newly extracts an optimized execution code (object) 519 from an original package 505 in step 592 .
  • the tampering detector 405 compares the newly generated execution code 519 with the tampered execution code 517 in step 594 . Since the execution code is tampered in this case, the tampering detector 405 may report that an execution code of a corresponding application is tampered to the system 530 in step 596 .
  • the tampering detector 405 may stop execution of a corresponding application or store information indicating that a corresponding application is tampered. The stored information may help to prove a cause of a problem of the terminal afterwards. If detecting tampering of an execution code, the tampering detector 405 may restrict a lower function for executing a corresponding application. For instance, when detecting that a moving image playback application is tampered, the tampering detector 405 may restrict a function of a CODEC module necessary for executing the application. Through this, an execution of a substantially tampered application may be prevented.
  • the tampering detector 405 As a result determined by the tampering detector 405 , if the newly extracted execution code is identical with an originally stored execution code, the tampering detector 405 needs not to perform a separate operation and the application may be performed without problem.
  • the user 520 may be different from or identical to the attacker 512 . That is, because it is difficult for persons other than the user 520 to approach a corresponding terminal, the user 520 generally and intentionally tampers an execution code of an application.
  • the apparatus 300 for detecting the tampered application detects tampering of an execution code of the application to stop execution of the tampered execution code or to limit a lower function
  • a problem of the terminal is previously prevented and the user may prevent execution of an application by bypassing a restricting function of copyright and other restrictions.
  • the apparatus 300 for detecting a tampered application detects tampering of an execution code of an application and stores information indicating that a corresponding application is tampered, the stored information may help to prove a cause of a problem occurring in a terminal afterwards.
  • FIG. 6 is a flowchart illustrating a method of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention.
  • step 610 Before performing step 610 , it is assumed that an application package is downloaded or is acquired in another scheme and then installed. In this case, the first execution code is stored.
  • a controller 360 determines whether an application execution input is received in step 610 . If the application execution input is not received, the controller 360 repeats step 610 until the application execution input is received. When the application execution input is received, the process goes to step 620 .
  • the controller 360 extracts a second execution code from a package in a run time, namely, after the application execution input is received in step 620 . In this case, verification of the signature may be also performed.
  • the controller 360 determines whether a second execution code is identical with a first execution code stored when installing the package in step 630 . When the second execution code differs from the first execution code, the controller 360 may report an application tampering fact to other operating systems in step 640 . When the second execution code is identical with the first execution code, an application is executed according to a scheme of the related art without performing a separate specific procedure.
  • the controller 360 When a signature of the application is invalid or a newly extracted execution code differs from an execution code of an application stored before an execution input, the controller 360 performs a preset operation.
  • An operation of the controller 360 when the signage of the application is invalid may be set to be identical with or different from an operation of the controller 360 when the newly extracted execution code differs from the execution code of an application stored before the execution input.
  • the controller 360 may store information indicating that a signature of a corresponding application is invalid.
  • the controller 360 determines that an execution code of the application is tampered.
  • the controller 360 may store information indicating that an execution code of a corresponding application is tampered or report that an execution code of a corresponding application is tampered to other operating systems.
  • the controller 360 may prevent an execution of a corresponding application or prevent provision of a detailed function necessary to execute the corresponding application. For instance, when a moving image playback application is tampered, the controller 360 may prevent provision of a moving image CODEC function.
  • an execution code is tampered after installation of the application by newly extracting and comparing an application execution code in a run time may be easily detected.
  • the application execution code is tampered, information indicating that an execution of the application is prevented or the application is tampered is stored so that a bad effect due to a tampered application execution code may be prevented or reduced.
  • An exemplary embodiment of the present invention may provide an apparatus and a method for detecting a tampered application which may detect and suitably process tampering of an execution code after installation of the application.
  • computer program instructions may be mounted in a processor of a universal computer, a special computer or other programmable data processing equipment, instructions performed through a processor of a computer or other programmable data processing equipment generates instructions for performing functions described in block(s) of the flowcharts. Since the computer program instructions may be stored in a computer available or computer readable memory capable of orienting a computer or other programmable data processing equipment to implement functions in a specific scheme, instructions stored in the computer available or computer readable memory may produce manufacturing articles involving the instructions executing the functions described in the block(s) of the flowcharts.
  • the computer program instructions may be mounted on a computer or other programmable data processing equipment, a series of operation steps are performed in the computer or other programmable data processing equipment to create a process executed by the computer such that instructions performing the computer or other programmable data processing equipment may provide steps for executing functions described in the block(s) of the flowcharts.
  • each block may indicate a part of a module, a segment, or a code including at least one executable instruction for executing specific logical function(s). It should be noticed that several execution examples may generate functions described in blocks and may be out of an order. For example, two continuously shown blocks may be simultaneously performed, and the blocks may be performed in a converse order according to corresponding functions.
  • the term “ ⁇ unit” refers to software or a hardware structural element such as FPGA or ASIC, and the term “ ⁇ unit” performs some roles.
  • the “ ⁇ unit” is not limited to software or hardware.
  • the term “ ⁇ unit” can be configured to be stored in an addressable storage medium and to play at least one process. Accordingly, for example, the term “ ⁇ unit” includes software structural elements, object-oriented software structural elements, class structural elements, task structural elements, processes, functions, attributes, procedures, subroutines, segments of a program code, drivers, firmware, microcode, circuit, data, database, data structures, tables, arrays, and variables.
  • structural elements and the “ ⁇ units” may be engaged by the smaller number of structural elements and the “ ⁇ units”, may be divided by additional structural elements. Furthermore, the structural elements and the “ ⁇ units” may be implemented to play a device or at least one CPU in a security multimedia card.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Telephone Function (AREA)
  • Stored Programmes (AREA)

Abstract

A method and an apparatus for detecting a tampered application are provided. The method of detecting a tampered application includes acquiring a package of an application, extracting and installing a first execution code from the acquired package of the application, extracting a second execution code from the package of the application when an execution command of the application is received after the first execution code is installed, and performing a preset operation when the second execution code differs from the first execution code.

Description

PRIORITY
This application claims the benefit under 35 U.S.C. §119(a) of a Korean patent application filed on Feb. 24, 2012 in the Korean Intellectual Property Office and assigned Serial No. 10-2012-0019115, the entire disclosure of which is hereby incorporated by reference.
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to a method and an apparatus for detecting a tampered application. More particularly, the present invention relates to a method for detecting a tampered application after installation of an application, and an apparatus thereof.
2. Description of the Related Art
In recent years, as a smart phone is supplied, use of various types of applications have actively increased in the smart phone. The application may be installed by a user or a device provider in a terminal such as a smart phone. The installed application may be executed according to an execution command of a user or other environments after this.
FIG. 1 is a diagram illustrating a procedure of installing and executing an application by a terminal using an Android operating system according to the related art.
Referring to FIG. 1, a MediaHub.apk 105 package is installed in step 140. A signature verification module 110 of the Android operating system verifies a signature of the MediaHub.apk 105 package. After the signature is verified, the terminal stores an optimized execution code 115 extracted from a corresponding application package in step 150. In this case, the optimized executed code may be configured by an odex format.
After configuring the optimized executed code by the odex format, a user 120 inputs an execution command with respect to a Media Hub application 125 in step 160. The execution command with respect to a Media Hub application 125 is transferred to a dalvik virtual machine 130 of Android in step 170. The dalvik virtual machine 130 of the Android loads an execution code 115 of an odex format to execute the Media Hub application 125 in step 180. In the foregoing way, the user may install an application and then execute the application.
Applications of the smart phone provide a convenient function to a user. However, a maliciously tampered application may download unwanted information to the smart phone and damage the phone or applications installed on it. An application providing contents such as music, images, or e-book uses Digital Rights Management (DRM) for protecting copyright. The maliciously tampered application may incapacitate a copyright protection function such as DRM.
To prevent execution of a tampered application in the smart phone, when installing the application, an Android operating system performs a signature verification procedure. However, after the application is installed, when the execution code 115 is tampered, there is a problem that detection of the tampered execution code or execution of the tampered execution code cannot be interrupted.
SUMMARY OF THE INVENTION
Aspects of the present invention are to address at least the above-mentioned problems and/or disadvantages and to provide at least the advantages described below. Accordingly, an aspect of the present invention is to provide an apparatus for detecting a tampered application capable of detecting a tampered execution code after an application is installed and suitably processing the tampered execution code, and a method thereof.
In accordance with an aspect of the present invention, a method of detecting a tampered application is provided. The method includes acquiring a package of an application, extracting and installing a first execution code from the acquired package of the application, extracting a second execution code from the package of the application when an execution command of the application is received after the first execution code is installed, and performing a preset operation when the second execution code differs from the first execution code.
In accordance with another aspect of the present invention, an apparatus for detecting a tampered application is provided. The apparatus includes a memory for storing a package of an application, and a controller for extracting and installing a first execution code from the stored package of the application, for extracting a second execution code from the package of the application when an execution command of the application is received after the first execution code is installed, and for performing a preset operation when the second execution code differs from the first execution code.
Other aspects, advantages, and salient features of the invention will become apparent to those skilled in the art from the following detailed description, which, taken in conjunction with the annexed drawings, discloses exemplary embodiments of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
The above and other aspects, features, and advantages of certain exemplary embodiments of the present invention will be more apparent from the following description taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a diagram illustrating a procedure of installing and executing an application by a terminal using an Android operating system according to the related art;
FIG. 2 is a diagram illustrating a tampering attack pattern of an application according to the related art;
FIG. 3 is a block diagram illustrating an apparatus for detecting a tampered application according to an exemplary embodiment of the present invention;
FIG. 4 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention;
FIG. 5 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to another exemplary embodiment of the present invention; and
FIG. 6 is a flowchart illustrating a method of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention.
Throughout the drawings, it should be noted that like reference numbers are used to depict the same or similar elements, features, and structures.
DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS
The following description with reference to the accompanying drawings is provided to assist in a comprehensive understanding of exemplary embodiments of the invention as defined by the claims and their equivalents. It includes various specific details to assist in that understanding but these are to be regarded as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. In addition, descriptions of well-known functions and constructions may be omitted for clarity and conciseness.
The terms and words used in the following description and claims are not limited to the bibliographical meanings, but, are merely used by the inventor to enable a clear and consistent understanding of the invention. Accordingly, it should be apparent to those skilled in the art that the following description of exemplary embodiments of the present invention is provided for illustration purpose only and not for the purpose of limiting the invention as defined by the appended claims and their equivalents.
It is to be understood that the singular forms “a,” “an,” and “the” include plural referents unless the context clearly dictates otherwise. Thus, for example, reference to “a component surface” includes reference to one or more of such surfaces.
Hereinafter, an apparatus and a method for detecting a tampered application in a terminal according to an exemplary embodiment of the present invention will be described with reference to the accompanying drawings.
Before a description of the present invention, a pattern of an application tampering attack is described.
FIG. 2 is a diagram illustrating a tampering attack pattern of an application according to the related art.
Referring to FIG. 2, in the same manner as in FIG. 1, a normal MediaHub.apk package 105 is installed in step 140. When the package 105 is installed, a signature verifying procedure 110 is performed. After performing the signature verification procedure, the terminal extracts an optimized execution code 115 from the package 105 in step 150. Next, an attacker 112 tampers with the installed execution code 115 in step 155. An original execution code 115 is converted into a tampered execution code 117 according to a tampering attack of the attacker 112. Next, the user 120 executes a corresponding application in the media hub 125 in step 160 and a dalvik virtual machine 130 is executed in step 170. The dalvik virtual machine 130 does not detect that an execution code is tampered and loads and executes the tampered execution code 117 as is in step 180.
A method capable of detecting or preventing an attack tampering an execution code after a package is installed is not known in the art.
FIG. 3 is a block diagram illustrating an apparatus 300 for detecting a tampered application according to an exemplary embodiment of the present invention.
Referring to FIG. 3, the apparatus 300 for detecting a tampered application according to an exemplary embodiment of the present invention includes a communication unit 310, an audio processor 320, a display unit 330, an input unit 340, a memory 350, and a controller 360.
The communication unit 310 performs a transceiving function of corresponding data for wired communication or wireless communication of the apparatus 300 for detecting a tampered application. For example, the communication unit 310 may include an RF receiver for up-converting a frequency of a transmitted signal and amplifying the converted signal and an RF receiver for low-noise-amplifying a received signal and down-converting the amplified signal. The communication unit 310 may receive data through a wireless channel and output the received data to the controller 360, and transmit data outputted from the controller 360 through the wireless channel.
More particularly, the communication unit 310 according to an exemplary embodiment of the present invention may transceive an application package file or data necessary for executing an application. If transceiving of image/voice or data is necessary, the communication unit 310 may be modified accordingly.
The audio processor 320 converts a digital audio signal into an analog audio signal through an audio CODEC and plays the analog audio signal through a speaker SPK. The audio processor 320 converts an analog audio signal inputted from the microphone MIC into a digital audio signal through the audio CODEC. The audio processor 320 may be configured by a CODEC. The CODEC may be configured by a data CODEC processing packet data and an audio CODEC processing an audio signal such as a voice. If a separate processing of the audio is not necessary, the audio processor 320 may be omitted.
The display unit 330 visually provides a menu of the apparatus 300 for detecting a tampered application, input data, function setting information and various other information to the user. The display unit 330 performs a function of outputting a booting screen, an idle screen, a menu screen, a call screen, and other application screens of the apparatus 300 for detecting a tampered application. When the apparatus 300 for detecting a tampered application supports an image call, the display unit 330 may display an image received from the other image call party.
The display unit 330 may be configured by a Liquid Crystal Display (LCD), an Organic Light Emitting Diode (OLED), an Active Matrix Organic Light Emitting Diode (AMOLED), and the like.
The input unit 340 receives a control input of a user and transfers the received control input of the user to the controller 360. The input unit 340 may be implemented in the form of a touch sensor and/or a key pad.
The touch sensor detects a touch input of the user. The touch sensor may be configured by a touch sensor of a capacitive overlay, a resistive overlay type, an infrared beam type, a pressure sensor, and the like. In addition to the foregoing sensors, various types of sensor devices capable of detecting contact or pressure of an object may be configured as a touch sensor of the present exemplary embodiment. The touch sensor detects a touch input of the user and generates and transmits a detection signal to the controller 360. The detection signal includes coordinate data which indicates where the user inputted a touch. When the user inputs a touch location moving operation, the touch sensor generates and transmits a detection signal including coordinate data of a touch location moving path.
A key pad receives a key operation of the user for controlling the apparatus 300 for detecting a tampered application, and generates and transfers an input signal to the controller 360. The key pad may include numeric keys and arrow keys, and may be provided as a predetermined function key on a side of the apparatus 300 for detecting a tampered application.
The input unit 340 may include only a touch sensor or only a key pad. When a separate control input is unnecessary, the input unit 340 may be omitted.
The memory 350 stores programs and data necessary for an operation of the portable terminal 100. The memory 350 may be divided into a program area and a data area. The program area may store a program controlling an overall operation of the apparatus 300 for detecting a tampered application, an operating system OS for booting the apparatus 300 for detecting a tampered application, an application program necessary for playing multi-media contents, and an application program necessary for other option functions of the apparatus 300 for detecting a tampered application, for example, a camera function, a voice playback function, an image or moving image playback function and the like. The data area is an area for storing data generated according to use of the apparatus 300 for detecting a tampered application, and may store images, moving images, phone-book, audio data, and the like. In particular, the memory 350 may store a package file of an application and an optimized execution code.
The controller 360 controls an overall operation of respective constituent elements of the apparatus 300 for detecting a tampered application.
More particularly, when receiving an application execution command as illustrated in FIGS. 4 to 6, the controller 360 may extract an execution code from a package file of a corresponding application and compare the extracted execution code with an original execution code stored in the memory 350. When an execution code again extracted from the package file differs from the original execution code stored in the memory 350 in the comparison result, the controller 360 may perform a suitable operation of blocking an execution of a corresponding application or recording or storing information indicating that the application is tampered. A detail description of the controller 360 will be given with reference to FIGS. 4 to 6.
FIG. 4 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention.
First, a MediaHub.apk package 105 is installed in step 140. A signature verification module 110 of an Android operating system verifies a signature of the MediaHub.apk package 105. After verifying the signature, a terminal stores an optimized execution code 115 extracted from a corresponding application package in step 150. In this case, the optimized execution code may be configured by an odex format. After the execution code 115 is stored, the attacker 112 tampers with the execution code 115 to generate a tampered execution code 117 in step 155.
After generating the tampered execution code 117 in step 115, the user 120 inputs an execution command with respect to a Media Hub application 125 in step 160. The execution command with respect to a Media Hub application 125 is transferred to a dalvik virtual machine 130 of Android in step 170. The dalvik virtual machine 130 of Android loads an execution code 117 of an odex format to execute a Media Hub application 125 in step 180.
However, according to an exemplary embodiment of the present invention, when an execution command of a Media Hub application 125 is inputted, a tampering detector 405 reads an original package file from the MediaHub.apk package 105 to verify a signature in step 410. In this case, if the signature is invalid, since the package file 105 is invalid, an execution of the application may stop. When the signature is valid, the tampering detector 405 newly extracts an execution code 119 from the MediaHub.apk package 105 in step 420. Next, the tampering detector 405 compares a newly generated execution code 119 with the tampered execution code 117 in step 430. In this case, since the execution code is tampered, the tampering detector 450 may report, at step 440, that an execution code of a corresponding application is tampered to an Android operating system.
According to another exemplary embodiment of the present invention, when detecting tampering of the execution code, the tampering detector 405 may prevent execution of the corresponding application or store information indicating that the corresponding application is tampered. The stored information may help to prove a cause of a problem of the terminal afterwards. When the tampering detector 405 detects tampering of the execution code, a lower function for executing a corresponding application may be restricted. For example, when the tampering detector 405 detects that a moving image playback application is tampered, a function of a CODEC module necessary for executing the application may be restricted. Through this, execution of a corresponding tampered application may be substantially prevented.
According to this exemplary embodiment of the present invention, as a result determined by the tampering detector 405, when the newly extracted execution code is the same as an originally stored execution code, the tampering detector 405 needs not to perform a separate operation and the Media Hub application 125 may be performed without problem.
In the exemplary embodiment of FIG. 4, the user 120 may differ from or may be the attacker 112. That is, because it is difficult for persons other than the user 120 to approach a corresponding terminal, the user 120 generally and intentionally tampers with an execution code of an application.
As described above, when the apparatus 300 for detecting the tampered application detects tampering of an execution code of the application, the apparatus stops execution of the tampered execution code or limits a lower function, thereby preventing a problem with the terminal and preventing the user from executing an application by bypassing a restricting function regarding copyright and other restrictions. According to another exemplary embodiment of the present invention, when the apparatus 300 for detecting a tampered application detects tampering of an execution code of an application and stores corresponding information, the stored information may help to prove a cause of a problem occurring in a terminal afterwards.
FIG. 5 is a diagram illustrating a procedure of detecting a tampered application in a terminal according to another exemplary embodiment of the present invention. A case illustrated in FIG. 4 is limited to the Android operating system but the exemplary embodiments of the present invention are applicable to a general case as illustrated in FIG. 5.
First, a signed object (application) package 505 is installed in step 540. A signature verification module 510 of a system verifies a signature of a corresponding object package 505. After the signature is verified, the terminal stores an optimized execution code (object) 515 extracted from a corresponding application package in step 550. After the execution code 515 is stored, the attacker 512 tampers with the execution code 515 to generate a tampered execution code (object) 517 in step 555.
After generating the tampered execution code, the user 520 inputs an execution command of the installed application in step 560. The execution command of the application is transferred to an operating system 530. The operating system 530 loads the execution code 117 so as to execute a corresponding application in step 580.
However, according to this exemplary embodiment of the present invention, if an execution command with respect to the application is inputted, the tampering detector 405 reads an original package file (signed object) 505 of a corresponding application to verify a signature in step 590. In this case, when the signature is invalid, since the package file 505 is also invalid, an execution of the application may stop. When the signature is valid, the tampering detector 405 newly extracts an optimized execution code (object) 519 from an original package 505 in step 592. Next, the tampering detector 405 compares the newly generated execution code 519 with the tampered execution code 517 in step 594. Since the execution code is tampered in this case, the tampering detector 405 may report that an execution code of a corresponding application is tampered to the system 530 in step 596.
According to another exemplary embodiment of the present invention, if the tampering detector 405 detects tampering of the execution code, it may stop execution of a corresponding application or store information indicating that a corresponding application is tampered. The stored information may help to prove a cause of a problem of the terminal afterwards. If detecting tampering of an execution code, the tampering detector 405 may restrict a lower function for executing a corresponding application. For instance, when detecting that a moving image playback application is tampered, the tampering detector 405 may restrict a function of a CODEC module necessary for executing the application. Through this, an execution of a substantially tampered application may be prevented.
According to this exemplary embodiment of the present invention, as a result determined by the tampering detector 405, if the newly extracted execution code is identical with an originally stored execution code, the tampering detector 405 needs not to perform a separate operation and the application may be performed without problem.
In the exemplary embodiment of FIG. 5, the user 520 may be different from or identical to the attacker 512. That is, because it is difficult for persons other than the user 520 to approach a corresponding terminal, the user 520 generally and intentionally tampers an execution code of an application.
As described above, when the apparatus 300 for detecting the tampered application detects tampering of an execution code of the application to stop execution of the tampered execution code or to limit a lower function, a problem of the terminal is previously prevented and the user may prevent execution of an application by bypassing a restricting function of copyright and other restrictions. According to another exemplary embodiment of the present invention, when the apparatus 300 for detecting a tampered application detects tampering of an execution code of an application and stores information indicating that a corresponding application is tampered, the stored information may help to prove a cause of a problem occurring in a terminal afterwards.
FIG. 6 is a flowchart illustrating a method of detecting a tampered application in a terminal according to an exemplary embodiment of the present invention.
Before performing step 610, it is assumed that an application package is downloaded or is acquired in another scheme and then installed. In this case, the first execution code is stored.
A controller 360 determines whether an application execution input is received in step 610. If the application execution input is not received, the controller 360 repeats step 610 until the application execution input is received. When the application execution input is received, the process goes to step 620. The controller 360 extracts a second execution code from a package in a run time, namely, after the application execution input is received in step 620. In this case, verification of the signature may be also performed. The controller 360 determines whether a second execution code is identical with a first execution code stored when installing the package in step 630. When the second execution code differs from the first execution code, the controller 360 may report an application tampering fact to other operating systems in step 640. When the second execution code is identical with the first execution code, an application is executed according to a scheme of the related art without performing a separate specific procedure.
When a signature of the application is invalid or a newly extracted execution code differs from an execution code of an application stored before an execution input, the controller 360 performs a preset operation. An operation of the controller 360 when the signage of the application is invalid may be set to be identical with or different from an operation of the controller 360 when the newly extracted execution code differs from the execution code of an application stored before the execution input.
When the signature of the application is invalid, because an application operation due to tampering may be actually difficult, an execution of the application may stop. According to another exemplary embodiment of the present invention, when the signature of the application is invalid, the controller 360 may store information indicating that a signature of a corresponding application is invalid.
When the newly extracted execution code differs from the execution code of an application stored before the execution input according to execution input, the controller 360 determines that an execution code of the application is tampered. In this case, the controller 360 may store information indicating that an execution code of a corresponding application is tampered or report that an execution code of a corresponding application is tampered to other operating systems. According to another exemplary embodiment of the present invention, the controller 360 may prevent an execution of a corresponding application or prevent provision of a detailed function necessary to execute the corresponding application. For instance, when a moving image playback application is tampered, the controller 360 may prevent provision of a moving image CODEC function.
As described above, a case where an execution code is tampered after installation of the application by newly extracting and comparing an application execution code in a run time may be easily detected. When the application execution code is tampered, information indicating that an execution of the application is prevented or the application is tampered is stored so that a bad effect due to a tampered application execution code may be prevented or reduced.
An exemplary embodiment of the present invention may provide an apparatus and a method for detecting a tampered application which may detect and suitably process tampering of an execution code after installation of the application.
Since computer program instructions may be mounted in a processor of a universal computer, a special computer or other programmable data processing equipment, instructions performed through a processor of a computer or other programmable data processing equipment generates instructions for performing functions described in block(s) of the flowcharts. Since the computer program instructions may be stored in a computer available or computer readable memory capable of orienting a computer or other programmable data processing equipment to implement functions in a specific scheme, instructions stored in the computer available or computer readable memory may produce manufacturing articles involving the instructions executing the functions described in the block(s) of the flowcharts. Because the computer program instructions may be mounted on a computer or other programmable data processing equipment, a series of operation steps are performed in the computer or other programmable data processing equipment to create a process executed by the computer such that instructions performing the computer or other programmable data processing equipment may provide steps for executing functions described in the block(s) of the flowcharts.
Further, each block may indicate a part of a module, a segment, or a code including at least one executable instruction for executing specific logical function(s). It should be noticed that several execution examples may generate functions described in blocks and may be out of an order. For example, two continuously shown blocks may be simultaneously performed, and the blocks may be performed in a converse order according to corresponding functions.
As used in the exemplary embodiments of the present invention, the term “˜unit” refers to software or a hardware structural element such as FPGA or ASIC, and the term “˜unit” performs some roles. However, the “˜unit” is not limited to software or hardware. The term “˜unit” can be configured to be stored in an addressable storage medium and to play at least one process. Accordingly, for example, the term “˜unit” includes software structural elements, object-oriented software structural elements, class structural elements, task structural elements, processes, functions, attributes, procedures, subroutines, segments of a program code, drivers, firmware, microcode, circuit, data, database, data structures, tables, arrays, and variables. Functions provided in structural elements and the “˜units” may be engaged by the smaller number of structural elements and the “˜units”, may be divided by additional structural elements. Furthermore, the structural elements and the “˜units” may be implemented to play a device or at least one CPU in a security multimedia card.
While the invention has been shown and described with reference to certain exemplary embodiments thereof, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims and their equivalents.

Claims (19)

What is claimed is:
1. A method of detecting a tampered application in an apparatus including a communication unit and a hardware controller, the method comprising:
downloading, by the communication unit, an original package of an application, wherein the original package of the downloaded application is a package archive file comprising an execution code to be executed by at least one of a processor or a virtual machine;
extracting and installing, by the hardware controller, the execution code from the downloaded original package of the application;
re-extracting, by the hardware controller, the execution code from the original package of the application when an execution command of the application is received after the extracted execution code is installed; and
comparing, by the hardware controller, the installed execution code with the re-extracted execution code for determining whether or not the installed execution code is tampered.
2. The method of claim 1, further comprising, before the re-extracting of the execution code from the original package:
when the execution command of the application is received after the extracted execution code is installed, verifying a signature of the package of the application; and
when the signature of the package of the application is invalid, storing information indicating that the application is tampered.
3. The method of claim 1, further comprising:
storing information indicating that the installed execution code is tampered when the installed execution code differs from the re-extracted execution code.
4. The method of claim 1, further comprising:
stopping execution of the application when the installed execution code differs from the re-extracted execution code.
5. The method of claim 1, further comprising:
stopping providing a function to the application which the application uses to execute the application when the installed execution code differs from the re-extracted execution code.
6. The method of claim 1, further comprising:
reporting that the installed execution code is tampered to an operating system when the installed execution code differs from the re-extracted execution code.
7. The method of claim 1, wherein extracting and installing the execution code includes optimizing the execution code.
8. An apparatus for detecting a tampered application, the apparatus comprising:
a memory configured to store an original package of a downloaded application, wherein the original package of the downloaded application is a package archive file comprising an execution code to be executed by at least one of a processor or a virtual machine; and
a controller configured to extract and install the execution code from the stored original package of the downloaded application, to re-extract an execution code from the original package of the downloaded application when an execution command of the downloaded application is received after the extracted execution code is installed, to perform a preset operation when the re-extracted execution code differs from the installed execution code, and to compare the installed execution code with the re-extracted execution code to determine whether or not the installed execution code is tampered.
9. The apparatus of claim 8, wherein before the re-extracting of the execution code from the original package of the downloaded application, the controller is further configured to verify a signature of the package of the downloaded application when the execution command of the downloaded application is received after the extracted execution code is installed; and
to store information indicating that the downloaded application is tampered when the signature of the package of the downloaded application is invalid.
10. The apparatus of claim 8, further comprising storing information indicating that the installed execution code is tampered when the installed execution code differs from the re-extracted execution code.
11. The apparatus of claim 8, wherein the controller is further configured to stop execution of the downloaded application when the installed execution code differs from the re-extracted execution code.
12. The apparatus of claim 8, wherein the controller is further configured to stop providing a function to the downloaded application which the downloaded application uses to execute the downloaded application when the installed execution code differs from the re-extracted execution code.
13. The apparatus of claim 8, wherein the controller is further configured to report that the installed execution code is tampered to an operating system when the installed execution code differs from the re-extracted execution code.
14. The apparatus of claim 8, wherein extracting and installing the execution code includes optimizing the execution code.
15. A method of detecting a tampered application in an apparatus including a communication unit and a hardware controller, the method comprising:
downloading, by the communication unit, an application;
extracting and installing, by the hardware controller, compiled execution code from the downloaded application;
re-extracting the compiled execution code from the downloaded application, by the hardware controller, when an execution command of the downloaded application is received after the extracted compiled execution code is installed; and
determining, by the hardware controller, whether the re-extracted compiled execution code is identical to the installed compiled execution code,
wherein when it is determined that the re-extracted compiled execution code differs from the installed compiled execution code, determining, by the hardware controller, that the application is tampered, and when it is determined that the re-extracted compiled execution code is identical to the installed compiled execution code, executing, by the hardware controller, the application.
16. The method of claim 15, further comprising:
storing information indicating that the installed compiled execution code is tampered when the installed compiled execution code differs from the re-extracted compiled execution code.
17. The method of claim 15, further comprising:
stopping execution of the application when the installed compiled execution code differs from the re-extracted compiled execution code.
18. The method of claim 15, further comprising:
preventing execution of a function for executing the downloaded application when the installed compiled execution code differs from the re-extracted compiled execution code.
19. The method of claim 15, wherein extracting and installing the compiled execution code includes optimizing the compiled execution code.
US13/767,294 2012-02-24 2013-02-14 Method and apparatus for detecting tampered application Active 2033-03-02 US9245109B2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020120019115A KR101944010B1 (en) 2012-02-24 2012-02-24 Method and apparatus for detecting tampered application
KR10-2012-0019115 2012-02-24

Publications (2)

Publication Number Publication Date
US20130227688A1 US20130227688A1 (en) 2013-08-29
US9245109B2 true US9245109B2 (en) 2016-01-26

Family

ID=49004806

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/767,294 Active 2033-03-02 US9245109B2 (en) 2012-02-24 2013-02-14 Method and apparatus for detecting tampered application

Country Status (2)

Country Link
US (1) US9245109B2 (en)
KR (1) KR101944010B1 (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101350390B1 (en) * 2013-08-14 2014-01-16 숭실대학교산학협력단 A apparatus for code obfuscation and method thereof
US9659156B1 (en) * 2014-03-20 2017-05-23 Symantec Corporation Systems and methods for protecting virtual machine program code
KR101477050B1 (en) * 2014-05-28 2015-01-08 충남대학교산학협력단 Method for extracting excutable code of application using memory dump
KR101969481B1 (en) 2015-03-13 2019-04-16 주식회사 에버스핀 Method and apparatus for generating Dynamic Secure Module
KR101673772B1 (en) * 2015-05-29 2016-11-07 현대자동차주식회사 Electro-hydraulic brake system and method for controlling the same
KR101666176B1 (en) * 2015-06-25 2016-10-14 한국전자통신연구원 Apparatus and method for of monitoring application based on android platform
CN105117641B (en) * 2015-08-20 2018-04-27 上海斐讯数据通信技术有限公司 A kind of system and method for preventing interception system interface
CN109725907A (en) * 2019-01-03 2019-05-07 百度在线网络技术(北京)有限公司 Installation method, device, equipment and the computer-readable medium of preset application
CN109815650B (en) * 2019-01-18 2022-06-24 深圳智游网安科技有限公司 Method, device and medium for calling frame based on iOS
CN110362990A (en) * 2019-05-31 2019-10-22 口碑(上海)信息技术有限公司 Using the security processing of installation, apparatus and system
CN111353148B (en) * 2020-02-07 2022-10-14 贝壳技术有限公司 Method and equipment for determining whether application program is repackaged

Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030182571A1 (en) * 2002-03-20 2003-09-25 Kabushiki Kaisha Toshiba Internal memory type tamper resistant microprocessor with secret protection function
US20030191942A1 (en) * 2002-04-03 2003-10-09 Saurabh Sinha Integrity ordainment and ascertainment of computer-executable instructions
US20040221169A1 (en) * 2003-01-30 2004-11-04 Lee Stephen J. Computer-implemented method for controlling execution of application software by a computer terminal
US20060015748A1 (en) * 2004-06-30 2006-01-19 Fujitsu Limited Secure processor and a program for a secure processor
US20070234343A1 (en) * 2006-01-27 2007-10-04 Microsoft Corporation Secure content publishing and distribution
US20080235802A1 (en) * 2007-03-21 2008-09-25 Microsoft Corporation Software Tamper Resistance Via Integrity-Checking Expressions
US7552342B1 (en) * 2005-02-16 2009-06-23 Rennie Glen Software, Llc Method and system for increasing the tamper resistance of a software application
US7707638B2 (en) * 2002-01-30 2010-04-27 Stmicroelectronics (Research & Development) Limited Autonomous software integrity checker
US7841010B2 (en) * 2007-01-08 2010-11-23 Apple Inc. Software or other information integrity verification using variable block length and selection
US20100325426A1 (en) * 2005-08-10 2010-12-23 Symbian Software Ltd. Protected software identifiers for improving security in a computing device
US7869793B2 (en) * 2006-10-31 2011-01-11 Samsung Electronics Co., Ltd Method and apparatus for preventing unauthorized use of mobile terminal
US20110321139A1 (en) * 2010-06-23 2011-12-29 K7 Computing Private Ltd. Online Protection Of Information And Resources
US20120090025A1 (en) * 2010-10-06 2012-04-12 Steve Bradford Milner Systems and methods for detection of malicious software packages
US20120246487A1 (en) * 2009-11-13 2012-09-27 Irdeto Canada Corporation System and Method to Protect Java Bytecode Code Against Static And Dynamic Attacks Within Hostile Execution Environments
US20120272072A1 (en) * 2011-04-25 2012-10-25 Samsung Electronics Co., Ltd. Apparatus and method for processing application package in portable terminal
US20130191918A1 (en) * 2012-01-25 2013-07-25 Carey Nachenberg Identifying Trojanized Applications for Mobile Environments
US8549631B2 (en) * 2009-02-12 2013-10-01 Ahnlab, Inc. Internet site security system and method thereto
US8671459B2 (en) * 2007-02-23 2014-03-11 Malcolm H. Nooning, III Prevention of software piracy using unique internal intelligence with every software application copy
US8818897B1 (en) * 2005-12-15 2014-08-26 Rockstar Consortium Us Lp System and method for validation and enforcement of application security
US20140259166A1 (en) * 2007-09-06 2014-09-11 Vijay S. Ghaskadvi Tamper resistant video rendering

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060005529A (en) * 2004-07-13 2006-01-18 엘지엔시스(주) Method for controlling the execution of software by using serial number of hdd

Patent Citations (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7707638B2 (en) * 2002-01-30 2010-04-27 Stmicroelectronics (Research & Development) Limited Autonomous software integrity checker
US20030182571A1 (en) * 2002-03-20 2003-09-25 Kabushiki Kaisha Toshiba Internal memory type tamper resistant microprocessor with secret protection function
US20030191942A1 (en) * 2002-04-03 2003-10-09 Saurabh Sinha Integrity ordainment and ascertainment of computer-executable instructions
US20040221169A1 (en) * 2003-01-30 2004-11-04 Lee Stephen J. Computer-implemented method for controlling execution of application software by a computer terminal
US20060015748A1 (en) * 2004-06-30 2006-01-19 Fujitsu Limited Secure processor and a program for a secure processor
US7552342B1 (en) * 2005-02-16 2009-06-23 Rennie Glen Software, Llc Method and system for increasing the tamper resistance of a software application
US20100325426A1 (en) * 2005-08-10 2010-12-23 Symbian Software Ltd. Protected software identifiers for improving security in a computing device
US8818897B1 (en) * 2005-12-15 2014-08-26 Rockstar Consortium Us Lp System and method for validation and enforcement of application security
US20070234343A1 (en) * 2006-01-27 2007-10-04 Microsoft Corporation Secure content publishing and distribution
US7869793B2 (en) * 2006-10-31 2011-01-11 Samsung Electronics Co., Ltd Method and apparatus for preventing unauthorized use of mobile terminal
US7841010B2 (en) * 2007-01-08 2010-11-23 Apple Inc. Software or other information integrity verification using variable block length and selection
US8671459B2 (en) * 2007-02-23 2014-03-11 Malcolm H. Nooning, III Prevention of software piracy using unique internal intelligence with every software application copy
US20080235802A1 (en) * 2007-03-21 2008-09-25 Microsoft Corporation Software Tamper Resistance Via Integrity-Checking Expressions
US20140259166A1 (en) * 2007-09-06 2014-09-11 Vijay S. Ghaskadvi Tamper resistant video rendering
US8549631B2 (en) * 2009-02-12 2013-10-01 Ahnlab, Inc. Internet site security system and method thereto
US20120246487A1 (en) * 2009-11-13 2012-09-27 Irdeto Canada Corporation System and Method to Protect Java Bytecode Code Against Static And Dynamic Attacks Within Hostile Execution Environments
US20110321139A1 (en) * 2010-06-23 2011-12-29 K7 Computing Private Ltd. Online Protection Of Information And Resources
US20120090025A1 (en) * 2010-10-06 2012-04-12 Steve Bradford Milner Systems and methods for detection of malicious software packages
US20120272072A1 (en) * 2011-04-25 2012-10-25 Samsung Electronics Co., Ltd. Apparatus and method for processing application package in portable terminal
US20130191918A1 (en) * 2012-01-25 2013-07-25 Carey Nachenberg Identifying Trojanized Applications for Mobile Environments

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
Bian, Gaowei; Nakayama, Ken; Kobayashi, Yoshitake; Maekawa, Mamoru; "Mobile Code Security by Java Bytecode Dependence Analysis", IEEE International Symposium on Communications and Information Technology, Oct. 26-29, 2004, vol. 2, pp. 923-926. *

Also Published As

Publication number Publication date
KR20130101657A (en) 2013-09-16
US20130227688A1 (en) 2013-08-29
KR101944010B1 (en) 2019-01-30

Similar Documents

Publication Publication Date Title
US9245109B2 (en) Method and apparatus for detecting tampered application
Brocker et al. {iSeeYou}: Disabling the {MacBook} webcam indicator {LED}
EP3005065B1 (en) Adaptive sensing component resolution based on touch location authentication
US9235709B2 (en) Integrity protection method and apparatus for mobile terminal
US9836601B2 (en) Protecting anti-malware processes
US11238161B2 (en) Secure boot and apparatus, and terminal device
US10176327B2 (en) Method and device for preventing application in an operating system from being uninstalled
KR20170105353A (en) Electronic apparatus and control method thereof
CN109657448B (en) Method and device for acquiring Root authority, electronic equipment and storage medium
US20160142437A1 (en) Method and system for preventing injection-type attacks in a web based operating system
US20170185785A1 (en) System, method and apparatus for detecting vulnerabilities in electronic devices
JP6030566B2 (en) Unauthorized application detection system and method
US20150019800A1 (en) Firmware Package to Modify Active Firmware
KR101757407B1 (en) Apparatus, method and computer program for merging binary files
US9684790B2 (en) Application processing apparatus and method for mobile terminal
US11397811B2 (en) System and method for application tamper discovery
US20160127412A1 (en) Method and system for detecting execution of a malicious code in a web based operating system
CN106778297B (en) Application program running method and device and mobile terminal
US11222096B2 (en) Protecting an item of software
US11328055B2 (en) Process verification
US20210224384A1 (en) Communicating an event to a remote entity
US20140059701A1 (en) Method of protecting and managing digital contents and apparatus thereof
CN114840879A (en) Prompt message output method and prompt message output device
WO2018045728A1 (en) Method and apparatus for protecting unlocked status of touch screen
CN117932689A (en) Service protection method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAMSUNG ELECTRONICS CO., LTD., KOREA, REPUBLIC OF

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KIM, BUMHAN;YOO, SUNGHOON;REEL/FRAME:029813/0931

Effective date: 20121105

STCF Information on status: patent grant

Free format text: PATENTED CASE

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8